OK I’ll keep this one simple and to the point..

If you enable BranchCache via ConfigMgr Client Settings – you might end up with a TON of duplicate Firewall rules relating to BranchCache. Seems that every time you upgrade the CM Client – it creates a whole new set of BranchCache Firewall rules. This also happens if you uninstall/re-install the CM Client..not ideal.

So – the moral of the story is – don’t do it! Just use any or all of the following methods to enable BranchCache instead and you’ll be fine. The ConfigMgr team are aware of the issue (actually a Windows bug) so the following is a ‘quick and dirty’ fix to keep you BranchCach-ing safely and efficiently.

2Pint Task Sequence – https://2pintsoftware.com/download/enable-branchcache-task-sequence/

2Pint Configuration Item (CI) – https://2pintsoftware.com/download/branchcache-tuner-ci-configmgr/

Batch file! Just run ‘netsh br set service mode=distributed’ and you’re off

PowerShell! ‘Enable-BCDistributed’ is all it takes..

Help – My Firewall is Bloated  and Uncomfortable already!

Fear not! Simply run this bit of PowerShell and it will de-gas your Firewall in no time at all. It simply nukes all the existing rules, and re-enables BranchCache (and in doing so re-creates the correct Firewall Rules)*

The 2Pint BranchCache Tuner CI will do the same if you prefer it – but this is a fast fix..

# Quick and dirty script to remove all existing BranchCache Firewall Rules and
# Reset BranchCache using netsh which will recreate the rules.
#Feel free to add some error checking y'all - you know it makes sense..
 
#Stop the service - BranchCache doesn't like you ripping out firewall
#rules while it's running..
$s = Get-Service -name PeerDistSvc -ErrorAction SilentlyContinue
 
If ($s){
Stop-Service $s.name -Force
}
 
$SetBCCommand = {netsh branchcache set service mode=distributed}
#=======================================
#Remove Content Retrieval Rules (IN/OUT)
#=======================================
netsh advfirewall firewall delete rule name="BranchCache Content Retrieval (HTTP-Out)"
netsh advfirewall firewall delete rule name="BranchCache Content Retrieval (HTTP-In)"
 
#=======================================
#Remove Content Discovery Rules (IN/OUT)
#=======================================
netsh advfirewall firewall delete rule name="BranchCache Peer Discovery (WSD-Out)"
netsh advfirewall firewall delete rule name="BranchCache Peer Discovery (WSD-In)"
 
 
#=================================================
#Invoke BranchCache setup to re-create the rules
# and restart the service
#=================================================
 Invoke-Command -ScriptBlock $SetBCCommand
 
#=================================================
#Remove Hosted Cache Rules (IN/OUT) - For tidiness
#=================================================
 
netsh advfirewall firewall delete rule name="BranchCache Hosted Cache Server (HTTP-In)"
netsh advfirewall firewall delete rule name="BranchCache Hosted Cache Server(HTTP-Out)"
netsh advfirewall firewall delete rule name="BranchCache Hosted Cache Client (HTTP-Out)"

*Usual disclaimers apply – i.e it wasn’t us, we weren’t even in the country at the time etc..

cheers

Phil 2Pint